public final class AciHandler extends AccessControlHandler<DseeCompatAccessControlHandlerCfg>
Modifier and Type | Field and Description |
---|---|
static String |
ALL_OP_ATTRS_MATCHED
String used to indicate that the evaluating ACI had a all
operational attributes targetattr match (targetattr="+").
|
static String |
ALL_USER_ATTRS_MATCHED
String used to indicate that the evaluating ACI had a all user
attributes targetattr match (targetattr="*").
|
static String |
ORIG_AUTH_ENTRY
String used to save the original authorization entry in an
operation attachment if a proxied authorization control was seen.
|
Constructor and Description |
---|
AciHandler()
Creates a new DSEE-compatible access control handler.
|
Modifier and Type | Method and Description |
---|---|
void |
filterEntry(Operation operation,
SearchResultEntry unfilteredEntry,
SearchResultEntry filteredEntry)
Filter the contents of the provided entry such that it no longer
contains any attributes or values that the client is not
permitted to access.
|
void |
finalizeAccessControlHandler()
Performs any necessary finalization for the access control
handler implementation.
|
void |
initializeAccessControlHandler(DseeCompatAccessControlHandlerCfg configuration)
Initializes the access control handler implementation based on
the information in the provided configuration entry.
|
boolean |
isAllowed(BindOperation bindOperation)
Indicates whether the provided bind operation is allowed based on
the access control configuration.
|
boolean |
isAllowed(DN entryDN,
Operation op,
Control control)
Indicates whether the provided control is allowed based on the
access control configuration and the specified operation.
|
boolean |
isAllowed(ExtendedOperation operation)
Indicates whether the provided extended operation is allowed
based on the access control configuration.
|
boolean |
isAllowed(LocalBackendAddOperation operation)
Indicates whether the provided add operation is allowed based on
the access control configuration.
|
boolean |
isAllowed(LocalBackendCompareOperation operation)
Check access on compare operations.
|
boolean |
isAllowed(LocalBackendDeleteOperation operation)
Check access on delete operations.
|
boolean |
isAllowed(LocalBackendModifyOperation operation)
Indicates whether the provided modify operation is allowed based
on the access control configuration.
|
boolean |
isAllowed(ModifyDNOperation operation)
Checks access on a modifyDN operation.
|
boolean |
isAllowed(Operation operation,
Entry entry,
SearchFilter filter)
Indicates whether the provided operation search filter is allowed
based on the access control configuration.
|
boolean |
isAllowed(SearchOperation searchOperation)
Indicates whether the provided search operation is allowed based
on the access control configuration.
|
boolean |
mayProxy(Entry proxyUser,
Entry proxiedUser,
Operation op)
Indicates if the specified proxy user entry can proxy, or act on
the behalf of the specified proxied user entry.
|
boolean |
maySend(DN dn,
Operation operation,
SearchResultReference reference)
Indicates whether the provided search result reference may be
sent to the client based on the access control configuration.
|
boolean |
maySend(Operation operation,
SearchResultEntry entry)
Indicates whether the provided search result entry may be sent to
the client.
|
canDiscloseInformation, isConfigurationAcceptable
public static final String ALL_OP_ATTRS_MATCHED
public static final String ALL_USER_ATTRS_MATCHED
public static final String ORIG_AUTH_ENTRY
public AciHandler()
public void filterEntry(Operation operation, SearchResultEntry unfilteredEntry, SearchResultEntry filteredEntry)
filterEntry
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
operation
- The operation currently being processed (this will
usually be a search, but may be other types of operation
when pre/post read controls are used).unfilteredEntry
- The result entry before any attribute filtering.filteredEntry
- The partially filtered result entry being returned to
the client.public void finalizeAccessControlHandler()
finalizeAccessControlHandler
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
public void initializeAccessControlHandler(DseeCompatAccessControlHandlerCfg configuration) throws org.forgerock.opendj.config.server.ConfigException, InitializationException
initializeAccessControlHandler
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
configuration
- The configuration object that contains the information
to use to initialize this access control handler.org.forgerock.opendj.config.server.ConfigException
- If an unrecoverable problem arises in the process of
performing the initialization.InitializationException
- If a problem occurs during initialization that is not
related to the server configuration.public boolean isAllowed(DN entryDN, Operation op, Control control) throws DirectoryException
isAllowed
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
entryDN
- A DN that can be used in the access determination.op
- The operation to use in the determination.control
- The control for which to make the determination.true
if the control should be allowed by the
access control configuration, or false
if not.DirectoryException
- If an error occurred while performing the access
control check. For example, if an attribute could not
be decoded. Care must be taken not to expose any
potentially sensitive information in the exception.public boolean isAllowed(ExtendedOperation operation)
isAllowed
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
operation
- The operation for which to make the determination.true
if the operation should be allowed by the
access control configuration, or false
if not.public boolean isAllowed(LocalBackendAddOperation operation) throws DirectoryException
isAllowed
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
operation
- The operation for which to make the determination.true
if the operation should be allowed by the
access control configuration, or false
if not.DirectoryException
- If an error occurred while performing the access
control check. For example, if an attribute could not
be decoded. Care must be taken not to expose any
potentially sensitive information in the exception.public boolean isAllowed(BindOperation bindOperation)
isAllowed
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
bindOperation
- The operation for which to make the determination.true
if the operation should be allowed by the
access control configuration, or false
if not.public boolean isAllowed(LocalBackendCompareOperation operation)
isAllowed
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
operation
- The compare operation to check access on.public boolean isAllowed(LocalBackendDeleteOperation operation)
isAllowed
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
operation
- The delete operation to check access on.public boolean isAllowed(ModifyDNOperation operation)
isAllowed
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
operation
- The modifyDN operation to check access on.public boolean isAllowed(LocalBackendModifyOperation operation) throws DirectoryException
isAllowed
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
operation
- The operation for which to make the determination.true
if the operation should be allowed by the
access control configuration, or false
if not.DirectoryException
- If an error occurred while performing the access
control check. For example, if an attribute could not
be decoded. Care must be taken not to expose any
potentially sensitive information in the exception.public boolean isAllowed(SearchOperation searchOperation)
isAllowed
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
searchOperation
- The operation for which to make the determination.true
if the operation should be allowed by the
access control configuration, or false
if not.public boolean isAllowed(Operation operation, Entry entry, SearchFilter filter) throws DirectoryException
isAllowed
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
operation
- The operation for which to make the determination.entry
- The entry for which to make the determination.filter
- The filter to check access on.true
if the operation should be allowed by the
access control configuration, or false
if not.DirectoryException
- If an error occurred while performing the access
control check. For example, if an attribute could not
be decoded. Care must be taken not to expose any
potentially sensitive information in the exception.public boolean mayProxy(Entry proxyUser, Entry proxiedUser, Operation op)
mayProxy
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
proxyUser
- The entry to use as the proxy user.proxiedUser
- The entry to be proxied by the proxy user.op
- The operation to use in the evaluation.true
if the access control configuration allows
the proxy user to proxy the proxied user, or false
if not.public boolean maySend(DN dn, Operation operation, SearchResultReference reference)
maySend
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
dn
- A DN that can be used in the access determination.operation
- The operation with which the provided reference
is associated.reference
- The search result reference for which to make the
determination.true
if the access control configuration allows
the reference to be returned to the client, or false
if not.public boolean maySend(Operation operation, SearchResultEntry entry)
maySend
in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
operation
- The operation currently being processed (this will
usually be a search, but may be other types of operation
when pre/post read controls are used).entry
- The result entry before any attribute filtering.true
if the access control configuration allows
the entry to be returned to the client, or false
if not.Copyright © 2010-2016 ForgeRock AS. All Rights Reserved.